From owner-svn-ports-all@FreeBSD.ORG Mon Jun 1 18:44:15 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6AF46360; Mon, 1 Jun 2015 18:44:15 +0000 (UTC) (envelope-from mmoll@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CD9A15A4; Mon, 1 Jun 2015 18:44:15 +0000 (UTC) (envelope-from mmoll@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t51IiFdu043377; Mon, 1 Jun 2015 18:44:15 GMT (envelope-from mmoll@FreeBSD.org) Received: (from mmoll@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t51IiEF2043376; Mon, 1 Jun 2015 18:44:14 GMT (envelope-from mmoll@FreeBSD.org) Message-Id: <201506011844.t51IiEF2043376@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mmoll set sender to mmoll@FreeBSD.org using -f From: Michael Moll Date: Mon, 1 Jun 2015 18:44:14 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r388251 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 18:44:15 -0000 Author: mmoll Date: Mon Jun 1 18:44:14 2015 New Revision: 388251 URL: https://svnweb.freebsd.org/changeset/ports/388251 Log: security/vuxml: add www/rubygem-rest-client vulnerabilities PR: 200504 Differential Revision: https://reviews.freebsd.org/D2699 Submitted by: Sevan Janiyan Approved by: ports-secteam (delphij, eadler) Security: CVE-2015-1820 Security: CVE-2015-3448 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jun 1 18:43:21 2015 (r388250) +++ head/security/vuxml/vuln.xml Mon Jun 1 18:44:14 2015 (r388251) @@ -57,6 +57,65 @@ Notes: --> + + rest-client -- plaintext password disclosure + + + rubygem-rest-client + 1.6.7_1 + + + + +

The open sourced vulnerability database reports:

+
+

REST Client for Ruby contains a flaw that is due to the application + logging password information in plaintext. This may allow a local + attacker to gain access to password information.

+
+ + + + CVE-2015-3448 + 200504 + https://github.com/rest-client/rest-client/issues/349 + http://osvdb.org/show/osvdb/117461 + + + 2015-01-12 + 2015-05-31 + + + + + rest-client -- session fixation vulnerability + + + rubygem-rest-client + 1.6.7_1 + + + + +

Andy Brody reports:

+
+

When Ruby rest-client processes an HTTP redirection response, + it blindly passes along the values from any Set-Cookie headers to the + redirection target, regardless of domain, path, or expiration.

+
+ + + + CVE-2015-1820 + 200504 + https://github.com/rest-client/rest-client/issues/369 + + + 2015-03-24 + 2015-05-31 + + + cabextract -- directory traversal with UTF-8 symbols in filenames